Users who want to continue using ssh must each run the command google-authenticator. This tool interatively helps you to create the file ~/.google_authenticator, which contains a shared secret and emergency passcodes. It's a terminal application, but it does still display a QR code for quick loading of the shared secret into your two factor device (in my case, this is the Google Authenticator app on my Android smartphone).

That's it! Now ssh logins will require a key, and after your key is verified will additionally require proof that you hold your second factor device.

Your existing ssh session should not be affected by these changes. So before you continue, make sure that you can still access the machine by authenticating with your new two factor system in another session. If you're using shared connections (or aren't sure), be sure to use the -Snone option to ssh in order to make sure that you don't accidentally skip authentication by re-using an existing connection.

As a system administrator, Linux security technician or system auditor, your responsibility can involve any combination of these: software patch management, malware scanning, file integrity checks, security audit, configuration error checking, etc. If there is an automatic vulnerability scanning tool, it can save you a lot of time checking up on common security issues.